Closed Bug 1712713 Opened 4 years ago Closed 3 years ago

Support tab containers in (permanent) private browsing mode

Categories

(Firefox :: Tabbed Browser, enhancement)

Product:
Firefox
Component:
Tabbed Browser
Version:
Firefox 88
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1320757

People

(Reporter: sworddragon2, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

  1. Go to about:config.
  2. Set privacy.userContext.enabled to true and restart Firefox.
  3. Enable (permanent) private browsing mode.
  4. Try to open a new tab container (e.g. menu bar -> File or the context menu via a link).

Actual results:

Entries to open new tabs in new containers are either missing or grayed out.

Expected results:

Tab containers should also be supported in (permanent) private browsing mode.

Additional details:

The old FPI implementation was not fully supported on (permanent) private browsing mode too but this changed with dFPI. But even with (a strict) dFPI, privacy.resistFingerprinting=true, etc. websites still have limited capabilities to cross-site-track and login-track an user.

For example if I login at https://store.steampowered.com and then enter in a new tab the address https://help.steampowered.com I am immediately loged in there too. Or doing searches on Google and at a later point going to YouTube rarely caused me to see too suspicious recommendations. I assume if 2 different domains are under control of the same entity or if 2 different entities cooperate their websites could simply double-forward (e.g. opening https://www.youtube.com could immediately forward to https://www.google.com which could then immediately forward back to https://www.youtube.com with a unique GET parameter) at the start and carry information via this way to identify an user without the user noticing (explicitely clicking links would work too - or the services might just have found another loophole for cross-site tracking).

Another example is to login into the Amazon account and buying something, loging out and then entering the address of Twitch in another tab. This would make it easy for Amazon/Twitch to link both identities (even with strong privacy settings like permanent private browsing mode, strict dFPI, resistFingerprinting enabled, etc.) and secretly link the Twitch behavior to the Amazon account which an user would probably not expect in this scenario.

Summary: Support userContext in (permanent) private browsing mode → Support tab containers in (permanent) private browsing mode

Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:88.0) Gecko/20100101 Firefox/88.0

Hi,
Thank you for opening this enhancement. I will set this as New for visibility and waiting for the developers opinion about it. If its not the correct component, please feel free to change it to an more appropriate one.

Thanks for your suggestion.

Status: UNCONFIRMED → NEW
Component: Untriaged → Tabbed Browser
Ever confirmed: true
Status: NEW → RESOLVED
Closed: 3 years ago
Duplicate of bug: 1320757
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.